Quick Responses: A Q&A with Cyber Incident Response Team’s Gwenn Cujdik

Original Content: AXA XL

The best way to deal with cybersecurity breaches is to prevent them from happening. But there’s no place for complacency in cybersecurity, so no matter how strong a company thinks its safeguards are, it also needs a plan for responding swiftly, effectively, and credibly to the worst-case scenario.

That’s why AXA XL launched its North America Cyber Incident Response Team -- to help clients before, during and after cyber breaches. The team is headed by Gwenn E. Cujdik, who brings a unique perspective to her work as Manager of the North America Cyber Incident Response Team. An attorney, her background encompasses investigation, crisis management and litigation related to data privacy, cybersecurity, and regulation.

Prior to joining AXA XL, Gwenn was a Partner at Mullen Coughlin LLC, where she focused on data privacy and cybersecurity incident response and compliance. A former Assistant District Attorney in Philadelphia, she began her career prosecuting criminals. Now, her collective career experience is helping AXA XL address their clients’ need to respond quickly to cyber risks and criminals.

Here, Gwenn answers questions about the state of cybersecurity, how companies can best protect themselves and why a quick response is so important in helping to minimize potential losses.

Q: Why is this the right time to increase vigilance against cyber threats?

GC: Recent events involving significantly high-profile ransomware matters have had a substantial impact on companies, and with that visibility has come greater understanding. As a result, companies are reaching out to get assistance in better securing their environment and managing the risk associated with these cyber events. By providing the support of established experts, this team gives clients cybersecurity guidance without requiring them to get fully up to speed in the field.

Q: Has the proliferation of remote work raised the stakes on managing cybersecurity well?

GC: Since the pandemic increased the number of people working at home, there’s been a greater blend of our personal and professional lives. Best practices keep business and personal devices separate. But in real life, people are mixing their use of both in a way that raises added cybersecurity concerns for companies, which now must ensure that every device that employees use to access work is protected — and that the company is protected from risks that may be posed by those devices.

The prevalence of remote work also raises the stakes on the human element in the cybersecurity equation. That’s why, in addition to securing devices, companies must step up their game on employee training to safeguard the company’s infrastructure, its data and its intellectual property against breaches enabled by human error.

Q: What is your team’s role in this safeguarding process?

GC: Our Cyber Incident Response Team is unique in that it’s taking a holistic approach to assisting our clients. From the time the insurance policy is issued, we look for what can we do to help achieve better security. We can offer recommendations, discuss pre-incident services, and talk through existing incident response plans. During those discussions, we may ask questions that help to expose areas of vulnerability that we, in partnership with our vendors, can work with clients to resolve.

In the event that an incident does occur, clients have a direct line to our team, either through me or through our hotline, and within minutes AXA XL will have a claim specialist working on the matter. We’ll have a team of specialists — from breach coaches to forensic investigators — on a call with our clients that same morning, afternoon, or evening to get a comprehensive response organized immediately. It’s essential for clients to have a high caliber of service at their disposal when, in a moment of panic, they may not have the calm or clarity necessary to consider their obligations under 50 different state laws, or international regulations, or to vet vendors and experts necessary to orchestrate an effective and credible response.

Q: What expertise does the team have in managing ransomware threats? Do you have recommendations for companies to better manage this threat?

GC: We’ve built a team with significant breach management and response experience. My expertise stems from assisting as a Breach Coach (an attorney specializing in Cyber Incident Response and Data Privacy Laws) and as a Cyber Claims Specialist in hundreds of cyber events from the initial call that something is happening through remediation, restoration, and investigation to notification and follow-up from stakeholders, business partners, regulators, law enforcement, and impacted populations thereafter. Many of those incidents particularly in the last few years have been ransomware events. With ransomware, bad actors are locking up your systems and gaining access to information they can steal. The best protection is to secure systems and segregate important information so that if there is a breach, key information is not accessible. And that segregation needs to extend to backups. We want to make sure that our clients have a copy in a secure place so if someone gets into the system, they can’t access, delete or encrypt that backup. Of course, that requires companies to engage consistently in best practices in backup frequency and in maintaining adequate storage for that data.

We also encourage companies to assess and address the risks that could emerge if the credentials of key players with administrative rights are compromised. Companies should have business continuity/disaster recovery plans in place to ensure that critical systems and data restoration can occur as quickly and safely as possible and that there are workaround solutions in place to keep the company afloat during the restoration process. Incident response plans are also a key component to effectively responding to a ransomware event. These plans outline the response process, roles, and responsibilities of the internal response team, who to contact and when, incident response vendor information, company procedures and protocols in the event of a breach, and may include communication strategies, restoration and remediation strategies, and other critical information relating to a response.

Q: Should companies establish a communications strategy for protecting business partners, customers, vendors, and other stakeholders against cybercrimes that spoof their letterheads, emails, website, or other elements of their company identity?

GC: We advise our insureds to discuss external communications with a breach coach. This consult includes discussing communication with critical stakeholders, including customers, vendors, and other business partners in the event there is a spoof of company letterhead, emails, website or other elements of their identity. It is also important for the company to understand the full nature and extent of an event involving identity spoofing to help inform an appropriate response. For example, is this event occurring as a result of a cyber incident within the company, is it an issue involving a cyber event of a vendor, or is it the result of social engineering of publicly available information? There needs to be some level of investigation into the event to determine the who, what, when, where and how to develop the best and most appropriate communication strategies, which includes a determination as to whether any communications or public statements are appropriate.

Q: From phishing to spoofing to ransomware, cyber events are also a threat to reputation. How can AXA XL’s Cyber Incident Response Team help prepare for that aspect of the response and recovery?

GC: When a company is down, everyone has questions, from customers, employees and business partners to law enforcement agencies, regulators, and media. The breadth of the event determines the scale of its impact on external entities, including other companies or the supply chain, which may garner attention not only from impacted entities, but also media. Whatever its scope, it is essential for companies to have experts in their corner to help manage that.

Part of our service to our clients is leveraging our expertise in cyber incident response to work through these issues, and to connect our clients with best-in-class breach coaches and other vendors with vetted expertise in assisting with cyber security incident response. To best maintain a company’s reputational integrity and reduce risk, our team is positioned to move fast and to work collaboratively with our clients to put in place the highest level of services from the inception of an incident and throughout the life of that event so every aspect of the response and messaging surrounding the event is exceptional.

Our goal is to provide, in every matter, the best support and partnership to our clients so they can maintain their hard-earned reputation, and get back to business as usual, as quickly as possible.

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.